Electronic system of management of multi-address access

ABSTRACT

Intelligent access management system contains an electronic key executed for fingerprint identification of the user. The multi-address access management system contains an electronic key, an electronic lock, a storage device, an identification and processing unit. The electronic key includes a wafer and mounted on the wafer: a scanning device for obtaining the fingerprint data of the user&#39;s fingers and converting them into a digital format, a device for interfacing the electronic key with the electronic lock, a key management device, a device for display of information about the state of the key and the input information, a power supply unit, a storage device, and the electronic lock contains an access blocking device which is connected to the output of the identification and processing unit. The invention ensures using the key for diverse access management systems with reduced risk of unscrupulous use of the electronic key by an illicit user.

TECHNICAL FIELD

The invention relates to intelligent access management systems whichcontain an electronic key executed with the possibility of fingerprintidentification of the user, and can be used in any area in whichprotected access to financial, material and information resources isnecessary.

PRIOR ART

Access management means are used in the security systems oforganizations and businesses, access monitoring systems in the bankingsector in settlements for goods and services consumed, systems ofmanagement of access to information and software resources, devices formonitoring access to motor vehicles [patents RU No. 2208247, No.2035067, No. 2106014].

Some of these means, when they are lost, can be illicitly used byoutside parties. In addition, many devices in which protection fromillicit access is ensured by use of digital or alphanumeric codes with alimited number of characters (and accordingly a limited number ofcombination variations) do not ensure the proper level of protection,since these codes can be easily cracked using special methods and meansof technical surveillance, for example remote observation orelectromagnetic monitoring.

These defects were partially remedied in a device disclosed in thespecification for patent RU 2212708 published on Sep. 20, 2003, whichcontains an electronic key executed with the possibility of fingerprintidentification of the user. This device can be adopted as a prototype ofthe suggested invention. It contains a key wafer, and mounted on it thefollowing: a scanning device which ensures reception of the fingerprintdata of the user's finger and their conversion into digital format, astorage device, an identification and processing unit connected to thestorage device, a device for interfacing the electronic key with anelectronic lock which is connected to the main computer, which devicetransmits to the main computer the user fingerprint identification codewhich was obtained in scanning, with a reference print stored in thestorage device, and a key management device in the form of a set offunction keys, a device for display of information about the state ofthe key and input information, and a power supply unit.

The disadvantage of this device is the inadequate degree of protectionof the electronic key from the encroachments of unscrupulous outsideparties.

DISCLOSURE OF THE INVENTION

The object of this invention is to develop a universal electronic keywhich ensures the possibility of its use for several different systemsof access management, with increased ease of obtaining access to variousmaterial, information and financial resources, which implementsidentification of the user by fingerprints, with a reduced risk ofunscrupulous use of the electronic key by an illicit user in the case ofits loss, misappropriation or other illegal action.

According to this invention, this object is achieved in that in themulti-address access management system which contains an electronic key,an electronic lock, a storage device, an identification and processingunit, the electronic key including a wafer and the following mounted onthe wafer: a scanning device for obtaining the fingerprint data of theusers fingers and converting them into a digital format, a device forinterfacing the electronic key with the electronic lock, a keymanagement device, a device for display of data about the state of thekey and the input information, a power supply unit, a storage device, anidentification and processing unit are mounted in the electronic lockthe electronic lock additionally contains an access blocking devicewhich is connected to the output of the identification and processingunit which upon a decision about the identification “illicit user” makesit impossible to further use the electronic key for a given protectedresource, the scanning device is made with the possibility of obtainingthe fingerprint data of at least two fingers of the user, theidentification and processing unit is made with the possibility ofmaking decisions according to delivered fingerprint data of at least twofingers of the user and their time sequence, the key management devicecontains the input device of the key use mode, which for a givenprotected resource ensures the electronic key initialization mode andthe mode of its working use, and an additional memory unit for storinginformation for access to the electronic lock for each of the protectedresources which are accessible to the electronic key, and is made withthe possibility of supporting multi-address access to the electroniclocks of various protected resources.

In a preferred version of its design the unit for processing andidentification of the electronic lock has independent units forcomparison of two or more user fingerprints and a circuit fordetermining the time sequence of delivery of signals of their images tothis device.

In some design versions of the electronic management system itselectronic key can additionally contain a signal encoding unit which isconnected between the input of the electronic lock and the input of thestorage device of the electronic lock, and a signal decoding unit whichis connected between the output of the storage device of the electroniclock and the electronic lock processing and identification unit.

In some design versions of the electronic management system itselectronic key can additionally contain a data encoding unit which isconnected between the output of the scanning device and the input of theinterface device of the electronic key with the electronic lock, and theelectronic lock contains a data decoding unit which is connected betweenthe input of the electronic lock and the electronic lock processing andidentification unit.

In some design versions of the electronic management system itselectronic key can additionally contain an electronic key storage devicewhich is designed for storage of reference data of user fingerprintsamples and the time sequence of their scanning, the electronic keyprocessing and identification unit, which are made with the possibilityof making decisions from the delivered data of the prints of at leasttwo fingers of the user and their time sequence, and a key blockingdevice whose input is connected to the output of the electronic keyprocessing and identification unit.

In addition, the output of the key blocking device can be connected tothe interface device of the electronic key with the electronic lock.

In some design versions of the electronic management system itselectronic lock can additionally contain an alarm notification devicewhich is connected to the output of the identification and processingunit which is actuated for a decision about the identification “forcibleaccess”, and the electronic key additionally contains a key blockingdevice which is connected to the interface device of the electronic keywith the electronic lock, which upon a decision about identification“forcible access” makes further use of the electronic key impossible forthe entire aggregate of protected resources which are accessible to theelectronic key.

DESCRIPTION OF THE DRAWINGS

The invention is explained using FIGS. 1-7 which schematically showpossible modifications of the electronic multi-address access managementsystem.

The reference numbers of the units shown in FIGS. 1-7 are describedbelow:

1—key wafer, 2—scanning device, 3—interface device of the key with theelectronic lock, 4—key management device, 5—display device, 6—key powersupply unit, 7—management device memory unit, 8—key use mode input unit,9—electronic lock, 10—storage device, 11—identification and processingunit, 12—access blocking device, 13—lock power supply unit, 14—unit forcomparison of the prints of one of the fingers, 15—unit for comparisonof the prints of a second of the fingers, 16—circuit for determining thetime sequence of signal delivery, 19—data encoding unit, 20—datadecoding unit, 21—key storage device, 22—key identification andprocessing unit, 23—key blocking device, 24—alarm notification device.

The proposed electronic multi-address access management system (FIG. 1)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, and a lock power supply unit 13.

The proposed electronic multi-address access management system (FIG. 2)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, a unitfor comparison of the prints of one of the fingers 14, a unit forcomparison of the prints of a second of the fingers 15, and a circuitfor determining the time sequence of signal delivery 16.

The proposed electronic multi-address access management system (FIG. 3)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, a signalencoding unit 17, a signal decoding unit 18.

The proposed electronic multi-address access management system (FIG. 4)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, a dataencoding unit 19, and a data decoding unit 20.

The proposed electronic multi-address access management system (FIG. 5)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, a keystorage device 21, a key identification and processing unit 22, and akey blocking device 23.

The proposed electronic multi-address access management system (FIG. 6)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, a keystorage device 21, a key identification and processing unit 22, and akey blocking device 23.

The proposed electronic multi-address access management system (FIG. 7)contains an electronic key which includes a wafer 1, the followingmounted on the wafer 1: a scanning device 2, an interface device 3 ofthe key to the electronic lock, a key management device 4 which includesthe management device memory unit 7, a key use mode input unit 8, adisplay device 5, a key power supply unit 6, an electronic lock 9 whichincludes the storage device 10, an identification and processing unit11, an access blocking device 12, a lock power supply unit 13, an alarmnotification device 24, and a key blocking device 23.

Principle of Realization of the Invention

The proposed electronic multi-address access management system works asfollows.

The use of the electronic key to obtain access to a specific protectedresource presupposes its preliminary initialization (registration) inthe corresponding electronic lock. The electronic key is initialized asfollows. Using the management device 4 the user connects the electronickey, establishes the initialization mode, specifies the type of theelectronic lock/protected resource (for example ATM, work station,computer with access to an electronic bank to protected Internetresources etc., house or apartment, motor vehicle) and shapes the signalto start scanning. Then, on the scanning device 2 the user registers thepads of two or more fingers in a sequence determined by him for scanningtheir prints, afterwards he shapes the signal to end scanning(registration of a sample of input fingerprints for a given time delayafter the last fingerprint input by the user is possible). Informationabout the aggregate of fingerprints and the sequence of their scanningwhich was obtained as a result of scanning is transmitted via theinterface device 3 of the electronic key with the electronic lock to thestorage device 10 of the electronic lock 9 where it is registered withattachment to the individual information of the user of a given resource(FIO, address, digital key no., user status, etc.); here the electroniclock delivers to the electronic key information which ensures subsequentattachment of a given electronic key to the database of the electroniclock (including, if necessary, searching for the corresponding data ofthe lock in a worldwide database) and “initialization completed” signal.

In the case of unsuccessful scanning of the user's fingerprints a“repeat scanning” signal is sent from the electronic lock 9 to thedigital key, in doing so the corresponding information is displayed onthe key display device 5.

Information about completion of initialization of the electronic key 1in the electronic lock 9 is displayed by the display device 5.

Use of the electronic key in the working mode proceeds as follows. Usingthe key management device 4 the electronic key is connected, the “use”mode is established, the specific protected resource to which access isintended is set, and the signal to start scanning is shaped. Then theuser registers on the scanning device 2 the pads of his fingers in asequence determined by him for scanning their prints, afterwards heshapes the signal to end scanning (registration of a sample of inputfingerprints for a given time delay after the last fingerprint which hasbeen input by the user is possible).

Information about the aggregate of fingerprints, including thefingerprint traits of the user's fingers, and the time sequence of theirscanning, which was obtained as a result of scanning, is transmitted viathe interface device of the electronic key with the electronic lock tothe electronic lock identification and processing unit 1, wherecomparison of the user's fingerprints and the time sequence of theirscanning to the data which have been stored in the electronic lockstorage device 10 and which are registered when the electronic key isinitialized (user identification).

With positive identification of the user by the identification andprocessing unit 11 the criterion “legitimate user” is formed and is sentto the access blocking device 12 and via the interface device 3 of theelectronic key with the electric lock, to the electronic key where it isdisplayed by the display device 5. In doing so, access to resourcesaccording to the user status is opened to the given electronic key.

For an insufficient level of probability of correct identification (duefor example to poor quality of the completed user fingerprint scanning)the electronic lock identification and processing unit 11 forms thecriterion “additional scanning” which is sent via the interface device 3of the electronic key with the electric lock to the key managementdevice 4 and display unit 5. In this case the user for identificationshould repeat the scanning procedure. The number of repeated scanningattempts is limited to a given number.

For negative identification of the user by the identification andprocessing unit 11 the criterion “illicit user” is formed.

The decision about identification “illicit user” which makes impossiblefurther use of the electronic key for a given type of protectedresources is made for negative identification of the user according tosome of the monitored criteria, for example when an incorrect sequenceof fingerprint scanning is ascertained, one of the fingerprints does notmatch, etc. or attempts at repeated scanning according to the previousitem are exhausted.

The criterion “illicit user” which is formed by the identification andprocessing unit 11 is sent to the access blocking device 12 which blocksthe electronic key and access from it to a given electroniclock/protected resource for a certain time interval (for example anhour, 24 hours, etc.). For repeated generation of the criterion “illicituser” for a given electronic key (which is done for a repeated attemptto identify the user after the time interval of blocking of a givenelectronic key has expired), the access blocking device 12 finallyblocks a given electronic key and access from it to a given electroniclock/protected resource.

For comparison of the prints of two fingers of the user with allowancefor the time sequence of delivery of the signals of these prints to thekey identification and processing unit 11 the interconnected independentunit 14 for comparison of the prints of one of the fingers, the unit 15for comparison of the prints of the second of the fingers, and circuits16 for determining the time sequence of signal delivery can be connectedin sequence (FIG. 2).

Reference information about the fingerprints of a legitimate user whenthe key is initialized is sent for storage in the storage device 10 ofthe electronic lock 9 via the signal coding unit 17 (FIG. 3), in doingso, to carry out identification of the user in the working mode thereference information is sent to the identification and processing unit11 via the signal decoding unit 18.

Information about the user fingerprints from the scanning device 2 canbe transmitted to the interface device 3 of the electronic key with theelectronic lock via the fingerprint information coding unit 19 (FIG. 4)and when sent to the electrical lock 9 prior to transmission to thestorage device 10 (when the key is initialized) and to theidentification and processing unit 11 (in the working mode) it can besent beforehand to the fingerprint information decoding unit 20.

The operation of the proposed multi-address access management systemexecuted in accordance with the diagram which corresponds to FIG. 5differs in that the information about the aggregate of fingerprints,including fingerprint traits of the user's fingers, and the timesequence of their scanning, which was obtained as a result of scanning,is sent to the key identification and processing unit 22 wherecomparison of the fingerprints of the user and the time sequence oftheir scanning to the data which have been stored in the key storagedevice 21 and which are registered when the electronic key isinitialized is done.

For negative identification of the user, the key blocking device 23blocks access of the electronic key to the electronic lock 9. Thecorresponding information is transmitted to the device 5 for display.

For positive identification of the user by the key identification andprocessing unit 22 the criterion “access to second stage opened” isformed and sent to the display device 5 and via the interface device 3of the electronic key with the electric lock to the electronic lock 9.In doing so, the information of completed scanning about the aggregateof fingerprints, including the fingerprint traits of the user's fingers,and the time sequence of their scanning is also sent to the electroniclock 9 via the interface device 3, where it is compared to the referenceinformation stored in the storage device 10 of the electronic lock inthe electronic lock identification and processing unit 11.

For positive identification of the user by the electronic lock 9identification and processing unit 11 the user acquires access toresources according to his status.

For negative identification of the user, the electronic key and accessfrom it to a given electronic lock/protected resource are blockedaccording to the general operating scheme of the system (FIG. 1).

The suggested multi-address access management system (FIG. 6) whichadditionally contains a key blocking device 23 additionally delivers tothe electronic lock 9 information about negative identification of theuser for blocking of a given electronic key by the electronic lock.

In the proposed system (FIG. 7), in the identification and processingunit 11 there is the additional possibility of ascertaining a situationof forcible access to the protected resource with generation of the“forcible access” criterion in this case.

The decision about identification “forcible access” which makes itimpossible to further use the electronic key for the entire aggregate ofprotected resources accessible to the electronic key, with downloadingof the alarm notification device of the electric lock is made when theelectronic lock identification and processing unit in the composition ofthe information having been sent from the electronic key ascertainscertain data coded as criteria of forcible access. These data (theircomposition is determined by a legitimate user from the established listand is registered when the key is initialized) can be for example thepresence, in the data which have been sent from the electronic key, ofresults of scanning of the print of a certain finger of the user whichindicates this situation, lack of agreement with data of a referencescan for all delivered fingerprints, etc. Operation of the “forcibleaccess” system is established at the request of the user when the key isinitialized.

The criterion “forcible access” which is formed by the identificationand processing unit 11 is sent to the access blocking device 12 whichblocks the electronic key and access from it to a given electroniclock/protected resource, to the alarm notification device 24 of theelectronic lock which delivers a certain signal to the correspondingsecurity service, and also via the interface device 3 to the keyblocking device 23. The latter upon reception of the “forcible access”criterion blocks further use of the electronic key for the entireaggregate of protected resources accessible to it.

For practical implementation of the proposed electronic key, standardelectronic parts can be used, the requirements for which do not exceedthe capabilities of modem microcircuit engineering. Almost all theassemblies of the device are standard and are widely used in modernhardware.

The electronic multi-address access management system suggested in thisinvention has the following advantages.

1. The electronic universal access device is a universal means of accessto different types of resources (for example, ATM, work station,computer with access to an electronic bank, protected Internet resourcesetc., house or apartment, motor vehicle), therefore it is sufficient forthe user to have one electronic key for obtaining access to differentprotection systems.

2. When using an electronic universal access device to access monitoredresources, the decision whether the holder of the electronic key is alegitimate user is made based on a comparison of the data of scanning ofthe prints of two and more fingers of the key holder in a certainsequence which are obtained from the scanning device with data ofreference scanning of the fingerprints (sample of scanning of thefingerprints of a legitimate user formed when the electronic key isinitialized) which are stored in the memory of the electronic lock; thisgreatly increases the level of protection of the system from an attemptat unscrupulous access and makes it possible to significant reduce therisk of unscrupulous use of the electronic key by an illicit user in thecase of its loss or theft.

3. When using this access management system the risk of an outside partyunscrupulously obtaining information for access to the protectedresources in the process of transmitting scanning data via the interfacedevice of the electronic key with the electronic lock is reduced due touse of encoding of the information being transmitted.

4. When using this access management system the risk of an outside partyunscrupulously obtaining information for access to the protectedresources from the database of the electronic lock is reduced due toencoding of the information stored in it.

5. When using this access management system the user is protected froman attempt at forcible access to the protected resources due to thehardware and software of the system which ensure that this situation isdetected according to criteria coordinated beforehand with a legitimateuser and which guarantee blocking of the electronic key for all types ofresources accessible to it with delivery of a signal to the alarmnotification device of the electronic key.

6. When a digital key is lost the user can use a new digital key foraccess by first initializing it.

1. Electronic multi-address access management system which contains anelectronic key, an electronic lock, a storage device, an identificationand processing unit, the electronic key including a wafer and thefollowing mounted on the wafer: a scanning device for obtaining thefingerprint data of the user's fingers and converting them into adigital format, a device for interfacing the electronic key with theelectronic lock, a key management device, a device for display ofinformation about the state of the key and the input information, apower supply unit, characterized in that the storage device, theidentification and processing unit are mounted in the electronic lock,the electronic lock additionally contains an access blocking devicewhich is connected to the output of the identification and processingunit which upon a decision about the identification “illicit user” makesfurther use of the electronic key impossible for a given protectedresource, the scanning device is made with the possibility of obtainingthe fingerprint data of at least two fingers of the user, theidentification and processing unit is made with the possibility ofmaking decisions according to delivered fingerprint data of at least twofingers of the user and their time sequence, the key management devicecontains the input device of the key use mode, which for a givenprotected resource ensures the electronic key initialization mode andthe mode of its working use, and an additional memory unit for storinginformation for access to the electronic lock for each of the protectedresources which are accessible to the electronic key, and is made withthe possibility of supporting multi-address access to the electroniclocks of various protected resources.
 2. System as claimed in claim 1,wherein the unit for processing and identification of the electroniclock has independent units for comparison of two or more userfingerprints and a circuit for determining the time sequence of deliveryof signals of their images to this device.
 3. System as claimed in claim1, wherein the electronic lock additionally contains a signal encodingunit which is connected between the input of the electronic lock and theinput of the storage device of the electronic lock, and a signaldecoding unit which is connected between the output of the storagedevice of the electronic lock and the electronic lock processing andidentification unit.
 4. System as claimed in claim 1, wherein theelectronic key additionally contains a data encoding unit which isconnected between the output of the scanning device and the input of theinterface device of the electronic key with the electronic lock, and theelectronic lock contains a data decoding unit which is connected betweenthe input of the electronic lock and the electronic lock processing andidentification unit.
 5. System as claimed in claim 1, wherein theelectronic key additionally contains an electronic key storage devicewhich is designed for storage of reference data of user fingerprintsamples and the time sequence of their scanning, the electronic keyprocessing and identification unit, which are made with the possibilityof making decisions from the delivered data of the prints of at leasttwo fingers of the user and their time sequence, and a key blockingdevice whose input is connected to the output of the electronic keyprocessing and identification unit.
 6. System as claimed in claim 5,wherein the output of the key blocking device is connected to theinterface device of the electronic key with the electronic lock. 7.System as claimed in claim 1, wherein the electronic lock additionallycontains an alarm notification device which is connected to the outputof the identification and processing unit which is actuated for adecision about identification “forcible access”, and the electronic keyadditionally contains a key blocking device which is connected to theinterface device of the electronic key with the electronic lock, whichupon a decision about identification “forcible access” makes further useof the electronic key impossible for the entire aggregate of protectedresources which are accessible to the electronic key.